diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index 348eb6c9..996287cd 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -5,6 +5,16 @@ # Permissions for querying dconf settings with write access; use the dconf # abstraction first, and dconf-write only for specific application's profile. + dbus send bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Change + peer=(name=ca.desrt.dconf), # no peer's labels + + dbus receive bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Notify + peer=(name=:*, label=dconf-service), + /etc/dconf/** r, owner @{user_config_dirs}/dconf/user r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 0298d054..f39bcab0 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -1,32 +1,40 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , + @{lib}/frei0r-[0-9]/*.so mr, + @{lib}/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner{,x86_64} mrix, + @{lib}/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner{,x86_64} mrix, + @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, + @{lib}/@{multiarch}/libproxy/*/pxgsettings ixr, + @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, /etc/openni2/OpenNI.ini r, - /tmp/ r, + owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw, + owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, + + /tmp/ r, /var/tmp/ r, - /dev/ r, - /dev/bus/usb/ r, - /dev/dri/ r, + # The orcexec.* file is JIT compiled code for various GStreamer elements. + # If one is blocked the next is used instead. + # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. + owner @{run}/user/@{uid}/orcexec.* mrw, + #owner /tmp/orcexec.* mrw, + #owner @{HOME}/orcexec.* mrw, - # /dev/shm is a symlink to /run/shm on ubuntu - #owner /{dev,run}/shm/shmfd-* rw, + @{run}/udev/data/+drm:* r, # For screen outputs + @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** - # @{run}/udev/data/c81:[0-9]* r, # For video4linux @{run}/udev/data/c189:[0-9]* r, # For USB serial converters @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]* - @{run}/udev/data/+drm:* r, # For screen outputs - #@{run}/udev/data/+pci:* r, - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** @{sys}/bus/ r, - @{sys}/bus/usb/devices/ r, @{sys}/bus/media/devices/ r, + @{sys}/bus/usb/devices/ r, @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, @@ -34,22 +42,8 @@ @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, - # The orcexec.* file is JIT compiled code for various GStreamer elements. - # If one is blocked the next is used instead. - # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec - # flag. - owner @{run}/user/@{uid}/orcexec.* mrw, - #owner /tmp/orcexec.* mrw, - #owner @{HOME}/orcexec.* mrw, - - @{lib}/frei0r-[0-9]/*.so mr, - @{lib}/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, - @{lib}/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, - @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, - @{lib}/@{multiarch}/libproxy/*/pxgsettings ixr, - @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, - - owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw, - owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, + /dev/ r, + /dev/bus/usb/ r, + /dev/dri/ r, include if exists \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index eb182a28..674fab78 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -50,7 +50,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/ColorManager/** interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=@{profile_name}), + peer=(name=:*, label="{@{profile_name},gsd-color}"), dbus bind bus=system name=org.freedesktop.ColorManager, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 9a1bd8c9..fc5b2702 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -13,6 +13,7 @@ profile pulseaudio @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index faace6eb..74fa0bc0 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -107,6 +107,16 @@ profile xdg-desktop-portal-gnome @{exec_path} { member=GetAll peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=Read + peer=(name=:*, label=xdg-desktop-portal), + dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index fa9e7405..f230f3e8 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -395,16 +395,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-extension-ding), - dbus send bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member=Change - peer=(name=ca.desrt.dconf), # no peer's labels - - dbus receive bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member=Notify - peer=(name=:*, label=dconf-service), - dbus send bus=session path=/org/gnome/ControlCenter interface=org.gtk.Actions member=DescribeAll diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index ceb33440..ea6e8e79 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -36,16 +37,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { member={ListMonitorImplementations,ListMountableInfo} peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name=:*, label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=Mounted - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported} diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 24a42997..6305a5b4 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -42,12 +42,17 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { member=ListMountableInfo peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member=MountAdded + peer=(name=org.freedesktop.DBus, label=tracker-*), + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported} peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), - dbus receive bus=session path=/{,org} + dbus receive bus=session path=/{,org,org/gtk,org/gtk/Private,org/gtk/Private/RemoteVolumeMonitor} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 6868740a..d9d9a1c3 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 6c95ebce..d3861fc1 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -13,6 +13,7 @@ profile plasmashell @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 055ae9be..ee4ccd2c 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -84,6 +84,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects, + dbus receive bus=system path=/org/bluez/hci*/** + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*), + dbus bind bus=system name=org.freedesktop.NetworkManager, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index b93a0c1f..ca18e949 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -10,6 +10,7 @@ include profile check-new-release-gtk @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index b72c4768..d4ffa988 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index f7016e87..43f45267 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index a5b63d98..b4fd9596 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -11,6 +11,7 @@ profile update-notifier @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index cc0c5b80..948d4ff1 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -9,30 +9,25 @@ include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include - include - include - include - include - include - include - include - include - include - include include include + include + include + include + include + include + include include + include + include + include + include dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetId peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member={Change,Notify} - peer=(name=ca.desrt.dconf), - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={IsSupported,List} diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 7fb5801b..d2e83eb1 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index a6c872ce..b4700a62 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -10,6 +10,8 @@ include @{exec_path} = @{bin}/keepassxc profile keepassxc @{exec_path} { include + include + include include include include diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 7ea7649c..e8f690d0 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/qemu-ga profile qemu-ga @{exec_path} { include + include capability mknod, capability net_admin,